Starting with the source repository events.

#type=humio #kind=logs

Filters on all logs across all hosts in the cluster.

| loglevel=WARN

Filters for all events where the loglevel is equal to WARN.

| class = c.h.d.ParserLimitingJob

Assigns the value c.h.d.ParserLimitingJob to the class for the logs having the loglevel value WARN.

| "Setting reject ingest for"

Filters for events containing the string Setting reject ingest for. This is the error message generated when ingested events are rejected.

| groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )

Groups the returned result by the field id, makes a count on the events and returns the minimum timestamp and maximum timestamp. This returns a new event set, with the fields id, _count, _min, and _max.

| timeDiff:=_max-_min

Calculates the time difference between the maximum timestamp values and the minimum timestamp values and returns the result in a new field named timeDiff.

| timeDiff > 300000 and _count > 10

Returns all events where the values of timeDiff is greater that 300000 and where there are more than 10 occurrences.

Event Result set.